The Illinois case "should be a wake-up call for any organization handling protected health information to the threats posed by insiders," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.

Jason Laut, a former paramedic who was also a supervisor, dispatch manager and systems administrator at an Illinois ambulance company, has been indicted in a federal identity theft and fraud case involving allegations he altered patient records as part of a scheme to steal narcotics from a local hospital.

In a criminal indictment filed on Jan. 18 in Southern Illinois U.S. District Court, federal prosecutors allege that Laut devised a scheme to defraud Memorial Hospital in Belleville, Ill., through the theft and misuse of the controlled substances Fentanyl and Morphine while performing his duties as a paramedic or paramedic supervisor at MedStar Ambulance Co. in Sparta, Ill.

MedStar provides ambulance services to residents living in counties served by the Southern Illinois Emergency Medical Services System. Those EMS services are operated out of Memorial Hospital, which is an Illinois Department of Public Health approved resource hospital, the court documents explain.

Memorial Hospital supplies various drugs to paramedics in containers known as "narcotics boxes," the court documents say. "Staff at Memorial Hospital would refill a depleted narcotics box from one of the region's ambulances when a paramedic would present the narcotics box and narcotics log."

Privileged Access

As a system administrator, Laut had the ability to edit or alter data entered on patient care reports, or PCRs, that were generated during and after ambulance calls, prosecutors allege.

The indictment says Laut, "utilizing his administrator access, would ... alter PCR reports for ambulance runs to indicate that controlled substances, specifically Fentanyl and Morphine, were dispensed when in fact they were not dispensed, wasted or utilized."

Prosecutors allege that "Laut would enter false information onto narcotics logs for narcotics boxes maintained in ambulances where he was acting as the paramedic, for those where he arrived on scene as a supervisor and also the narcotics log for the narcotics box in his supervisory vehicle."

Laut allegedly would "falsely claim on the narcotics log to have given controlled substances to patients where no ambulance trip was made or that the patient did not exist. These 'phantom' entries occurred on numerous occasions," the indictment alleges.

"Laut claimed to have given controlled substances to patients that refused medical treatment or where the condition of the patient would have precluded the use of Fentanyl, or Laut falsely claimed to have received authorization for the dispensing of controlled substances, including on at least one occasion where the doctor he claimed gave the authority no longer worked at the receiving hospital," the indictment alleges.

Prosecutors allege the scheme occurred from January 2013 to May 2015. Laut was indicted on 37 counts, including six counts of wire fraud; 29 counts of making false statements and two counts of aggravated identity theft. A warrant has been issued for his arrest.

Insider Threats

Some security and privacy experts say the allegations against Laut are an important reminder about the security, privacy - and potential patient safety - risks posed by insiders.

"The focus on cybersecurity is good news and bad news," says privacy attorney Kirk Nahra of the law firm Wiley Rein. The intensified attention of late on cyberattacks involving hackers is important, he says, "but in some cases that's been a distraction from the ongoing threat of insiders."

Holtzman of CynergisTek notes: "Surveys conducted over a number of years have consistently shown that the majority of incidents involving unauthorized use or disclosure of protected health information involve insiders who are misusing access to the information systems for which they have been granted access.

"Organizations must adopt and implement technologies that monitor access and audit users' activity of information systems that maintain PHI," he says. "And when your audit management tool identifies unusual activity, the organization must take action to investigate the events to determine the extent of any unauthorized activity and prevent further damage from occurring."

Healthcare organizations should carefully manage creation of system administrator accounts, Holtzman also advises.

"Minimizing the number of system administrator accounts can reduce the risk of unauthorized access or opportunities for inappropriate behavior by the authorized user," he notes. "It is also important to monitor the activity of those with system administrator roles to ensure that they are not creating enhanced privileges in the system that would allow them to defeat security controls put into place to recognize inappropriate system activity."

Organizations also should periodically review who has been provided system administrator access to assess if the enhanced privileges are still needed, he adds.

MedStar Ambulance did not immediately respond to an Information Security Media Group request for comment on the Laut case.

Memorial Hospital Responds

In a statement, Memorial Hospital tells ISMG: "We have digital, cloud-based cradle-to-grave management of the possession, administration, reconstitution and waste of all schedule two narcotics."

The hospital says this process "utilizes FBI-certified biometric recognition and historical administration reporting functions on an individual and system basis. We also have policies and procedures to incorporate training and education on tampered narcotics recognition, quality control measures with individually serialized narcotics and narcotics tracking sheets. Lastly, we have highly stringent physical security requirements for providers and conduct random inspections on ambulances and agency offices that store narcotics when not in active use."

The hospital contends that the investigation resulting in the indictment of Laut "does not center around any illegal activity at Memorial Hospital or by a Memorial employee, nor failure by Memorial or Memorial employees to monitor and follow the polices of the Southwestern Illinois EMS concerning handling of narcotics."

About the Author

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;